Whenever I enter a login into a new site, Chrome asks me if it should store the login details. I used to believe this was fairly secure. If someone found my computer unlocked, they could get past the login screen for some website using the stored details, but if asked for the password again like during checkout, or if they wanted to login to the service from another device, they would be out of luck.

At least, that's what I used to think when I believed the browser did not store the password itself, but a hash or encryption of the password. I have noticed that the browser fills the username and password fields, and the password field indicates the number of characters in the password.

I'm one of those people who when asked to change their password just keeps the same password, but changes a number at the end. I know this is bad, but with how often I am asked to change passwords, I really could not remember the number of passwords expected of me. This results in a lot of passwords that are the same, but sometimes I forget what the end number needs to be for a particular login.

I could not remember the ending number for a certain login, so I went to a website where the password was stored. I deleted the last couple of characters and tried different numbers and viola, knew what was the right ending number.

It seems to me that this is a fundamental security flaw. If I can check the last character of my password without checking any others, then the amount of tries it takes to crack the password grows linearly with the number of characters not exponentially. It seems like a short stride from there to say that if someone came to my computer when it was unlocked, a simple script could extract all of the stored passwords for all of the major websites which I have passwords stored for.

Is this not the case? Is there some other layer of security that would prevent this?

This question came from our site for software developers, mathematicians and others interested in cryptography.

51

I think you'd benefit greatly from using a password manager like LastPass.
– AwnOct 2 '17 at 10:08

4

The answer to this question will depend greatly on which browser you're talking about when you say "a browser". In this case it's Chrome, but in theory there's no reason a different browser couldn't manage passwords in a much more secure way. Or perhaps a future Chrome update could include functionality which would greatly enhance the security of this feature. Just something to keep in mind when reading the following answers.
– Ajedi32Oct 2 '17 at 15:01

1

@Awn: Aren’t browser add-ons even worse security threat? Chrome gives the add-on author an unlimited power to “update” it. This allows him to upload malicious code to steal users’ account and password data, then upload benign code again – and no one would know.
– 7vujy0f0hyOct 3 '17 at 12:47

1

Chrome password manager is definitelly not secure. Yesterday I get malware infection (by my error) and all of my chrome saved password was dumped in directory of malware in appdata as txt file.
– midlanDec 12 '18 at 12:24

1

Malware could dump any password storage if it was unlocked at the time, and Chrome's password storage unlocks when you login. That doesn't make it insecure, it just means malware isn't a threat it was designed to protect against (along with every other password vault, if you unlock your passwords while you have malware running there's not really much that can be done).
– AndrolGenhaldDec 12 '18 at 14:28

9 Answers
9

Chrome not only stores your password text, it will show it to you. Under settings -> advanced -> manage passwords you can find all your passwords for all your sites. Click show on any of them and it will appear in the clear.

Hashed passwords work for the site authenticating you. They are not an option for password managers. Many will encrypt the data locally, but the key will also be stored locally unless you have a master password setup.

Personally, I use the chrome password manager and I find it convenient. I also, however, have full disk encryption and lock my screen diligently. Which makes the risk reasonable imho.

You seem to be inconsistent (many are) by both selecting memorable passwords and using a password manager. And I may venture to guess you may even repeat the password or at least the theme across many sites. This gives you the worst of both worlds. You get the risks of password manager without the benefits.

With a password manager you trust, you can give each site a unique random password not memorable at all and gain a lot of protection from many very real attack vectors. In exchange for a single point of failure of your password manager. Even with a less than perfect password manager this isn't an unreasonable trade off. With a good password manager this is becoming the consensus best practice.

Edit to add: please read Henno Brandsma answer explaining how login password and OS support can be used to encrypt passwords, this gives a reasonable level of protection to your passwords when the computer is off/locked (full disk encryption is better) and won't help much if you leave your computer unlocked. Even if the browser requires password to show plain text debug tools will still let you see already filled passwords as @Darren_H comments. The previous recommendation still stands use random unique passwords and a password manager.

In the latest Chrome version (68), the menu is not in the Advanced section, but in the first section (settings -> People -> passwords) - or simply type "chrome://settings/passwords" in the browser address bar
– Sandra RossiOct 27 '18 at 8:18

Chrome (under Windows) actually does encrypt the passwords when stored. But it does it in a way that only someone knowing your login password (or hijacking your login session) can actually use or view the stored passwords. This is well-documented (it uses the so-called Data Protection API (DPAPI), which is in Windows from NT 5.0 (i.e. Windows 2000) onwards, which nowadays uses AES-256 to encrypt the password data). Google believes that this is enough security, because it has the same level of protection as your whole login. On the Mac or Linux they use the native keychain technology to protect a special Chrome master password, achieving the same effect, essentially. Read the sources for all the details...

Edge and IE (available on Windows only of course) also use this technology, BTW, under a wrapper called the Credential Store, in recent versions of Windows (and before that they used DPAPI data stored in the registry). For more info on DPAPI, see here, e.g.

On typical Linux desktop systems Chrome will use the session keyring (i. e. GNOME Keyring or KWallet which cover the vast majority of Linux desktop installations) which encrypts passwords with a key derived from the user account password for storage.
– David FoersterOct 2 '17 at 6:39

1

@DavidFoerster indeed, it puts a Chrome random "password" there which derives the key used in the password database. The keychain/wallet has the same level of protection as the login, just as Windows does.
– Henno BrandsmaOct 2 '17 at 6:54

2

Although not selected as the answer, this answer should not be overlooked and seriously considered by one trying to assess the risk of using Chrome's password store and how to minimize the risk.
– Thomas CarlisleOct 2 '17 at 16:34

Note on Linux, the place Chrome stores passwords (which keyring to use, or outside of the keyring, unencrypted in Chrome's data folder) can be modified using the --password-store setting.
– Ben JFeb 5 at 18:09

@Uniphonic LastPass can see them because it’s running as you, and the encryption keys are available to you, as Chrome has no “salt” it uses unique to itself, which it could do . But being open source means anyone can go see that “chrome salt” too, so that defeats the purpose. The second issue comes from Chrome syncing passwords across computers when you log in with your Google account. It’s a setting you can disable if you don’t want that to happen. Malware that runs at your user level can indeed also see it, if it’s aware of it.
– Henno BrandsmaMar 25 at 18:23

In Firefox you can actually set a master password which will protect your stored passwords from being viewed. This master password will also be required once per session before the browser will start filling in passwords for you.

You could also use a general purpose password manager for example Keepass.

Anyway, for most people the danger of losing a password because one site got hacked is greater than losing it on their own computer. That's because an attacker with access to your computer has many other options for attacking you. One of the main benefits of using a password manager is that you don't have to manually enter the password anymore so you can actually pick completely random and secure passwords.

If you have been reusing passwords for a while there is a neat site for checking some of the more prominent breaches to see if you have been affected: https://haveibeenpwned.com/

If you have to use many different machines you can consider using something like Keepass2Android on your phone.

@jiggunjer - so if someone gets access to password A, they have access to your bank & google & hosting & crypto currency & OS. Disaster. At the very least each of these should have two factor authentication OR a unique password. Preferably both.
– Katinka HesselinkOct 6 '17 at 11:27

1

@Katinka-Hesselink not my bank or Google, and my OS/wallet require physical access. That is two factor. Yeah they can get both my hosting and my VPN, if they know which services I use and which emails are linked to them. Unlikely.
– jiggunjerOct 6 '17 at 13:30

@jiggunjer I've learned now that what is unlikely for the user is just an incentive for the hacker. Hackers like challenges and if they see one, they'll go for it.
– Buffer Over ReadOct 7 '17 at 15:50

A malicious user can simply run this password dumper or install malware and then remotely run this tool. However, a non-technical user would not be able to accomplish this task. Therefore, storing passwords in the browser is safe against non-technical people, but ineffective against malware or technical users.

The question is about someone accessing his computer when he is unattended. Furthermore, with admin privileges gained by UAC bypass or other vulnerabilities such as dll hijacking, all user's data can be accessed.
– Daniel GroverOct 4 '17 at 15:01

1

@jiggunjer See my answer above, it uses DPAPI whose security ultimately depends on your login password strength (if the attacker cannot dump process memory, where the keys also reside). If you run it yourself Windows does the decryption with CryptUnprotectData because you have access to your own keys.
– Henno BrandsmaJun 15 '18 at 7:24

You can also view passwords in Chrome by changing the HTML. Change the type of the input field to "text" and you can see pre-filled information in plain text.
So if someone at your computer knows a website you are registered on, and Chrome autofills your password, they can see it.

The biggest danger is having a browser without a master password and leaving your computer without locking it: Anyone can then quickly take a picture of your stored passwords, it just takes a few seconds.
So the obvious: always lock your computer and set a master password, do not reuse passwords or similar patterns ...

In order to get Chrome to display a password in plain text, you have to enter your login password. And it will only do one at a time. As far as I can tell, there's no way to get it to display all your passwords.
– BarmarOct 2 '17 at 14:27

So that is more secure than the Firefox default.
– Christophe RoussyOct 2 '17 at 15:29

Sounds like a time-based auto logout extension might be a good idea. E.g. logout chrome after 15 minutes of inactivity.
– jiggunjerOct 4 '17 at 5:13

If you are worried about someone accessing your laptop while you are logged in (e.g. you are using it at work or in a public place and occasionally leave it unguarded, or you don't trust a family member), storing the password in a browser is not a good solution. If you are worried about malware on your computer (which might capture your typing) or people seeing what you type, it is pretty secure against that, and those are much more common concerns.

This answer is reversed imo. Non-tech savy users are unlikely to be able to get the plaintext passwords, but malware can easily dump them without user interaction. See my answer. You can run the tool yourself if you don't believe me.
– Daniel GroverOct 2 '17 at 19:41

Chrome with a master password is IMO about as well protected against password theft as a password manager. (Which is to say, not terribly well. If something is running on your machine and has the same access rights you have, your chances of preventing it from stealing your passwords are fairly limited.) Without a master password, neither browsers nor password managers can provide much defense.
– TgrOct 2 '17 at 23:15

It is pretty certain that no mechanism is 100% safe, but some mechanisms are safer than others. At the simplest level a long password is safer than a short password but is more difficult to remember and type correctly. What you have to decide is where the balance between safety and ease of use lies. Password managers are one answer if the cost/risk ratio feels right for you.

If you do not trust any mechanism that stores your password on your computer, then one way of getting around this is to use an algorithm to generate one for you each time you need it. I happen to use a little program that implements a variant of Playfair (https://en.wikipedia.org/wiki/Playfair_cipher) to generate part of my password for any given site - which has the advantage that I can create it by hand if I have to. However do avoid trivial algorithms (like just reversing the letters in a web-site).

On Linux Chrome uses kwallet / gnome-keyring on the KDE or gnome desktop, which should both provide good security. On OSX it uses the OSX keyring, which has good security, too.
On windows they implement their own password storage, which is not as secure as the system keyrings on the other OS.

For the specific weaknesses in the windows implementation see the other answers.